https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10380#M7644 <HTML><HEAD></HEAD><BODY><P class="MsoNormal">I am trying to figure out how to deploy SSL decryption. I have it working in a test environment using an in house CA and by importing the cert. into my browser. As we have Firefox users and can't export the Trusted Root CA with a GPO, I am looking for an alternative. As a CA beginner, I am struggling with some of the concepts.</P><P class="MsoNormal"></P><P class="MsoNormal">If a buy a cert for a known CA (godaddy - as I like Danica Patrick), can I use that cert on my PA and will the browser trust it? I have PAs at 5 locations (some HA pairs). Do I have to buy 5 certs (or more) or can I share the same cert?</P><P class="MsoNormal"></P><P class="MsoNormal">Any advise would be great.</P></BODY></HTML> Thu, 03 Feb 2011 20:41:55 GMT john.langford@aplp.net 2011-02-03T20:41:55Z https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10380#M7644 <HTML><HEAD></HEAD><BODY><P class="MsoNormal">I am trying to figure out how to deploy SSL decryption. I have it working in a test environment using an in house CA and by importing the cert. into my browser. As we have Firefox users and can't export the Trusted Root CA with a GPO, I am looking for an alternative. As a CA beginner, I am struggling with some of the concepts.</P><P class="MsoNormal"></P><P class="MsoNormal">If a buy a cert for a known CA (godaddy - as I like Danica Patrick), can I use that cert on my PA and will the browser trust it? I have PAs at 5 locations (some HA pairs). Do I have to buy 5 certs (or more) or can I share the same cert?</P><P class="MsoNormal"></P><P class="MsoNormal">Any advise would be great.</P></BODY></HTML> Thu, 03 Feb 2011 20:41:55 GMT https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10380#M7644 john.langford@aplp.net 2011-02-03T20:41:55Z https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10381#M7645 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>It is not possible to purchase the correct Certificate Authority cert from a trusted public source since only Server certs are sold.&nbsp; Also, if this were allowed, it would invalidate the trust ecosystem that Certificates are based on, since then it would be possible to do trusted man-in-the-middle attacks out in the wild.</P><P></P><P>The Palo Alto Networks SSL decryption solution works best when the CA cert is generated from an internal CA that is already trusted in the company or that can be pushed out to the user's browser via global policy.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Thu, 03 Feb 2011 21:32:33 GMT https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10381#M7645 kbrazil 2011-02-03T21:32:33Z https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10382#M7646 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P>If you use (and you should use) a Trust (internal) CA certificate you need only one cert, the CA cert and you have to import it in every PAN device you have.</P><P>Otherwise yuou can generate a Self Signed Certificate or a server certificate issued by your internal CA for every PAN devices you have.</P><P></P><P>You dont' have to use and import a Trust Root CA in your web browser but a Subordinate CA.</P><P></P><P>First of all, I suggest you tu have a look some PKI documentation. Undestanding PKI is very important to use effectively PAN SSL-D</P></BODY></HTML> Fri, 04 Feb 2011 15:23:28 GMT https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10382#M7646 migration 2011-02-04T15:23:28Z https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10383#M7647 <HTML><HEAD></HEAD><BODY><P>Are you having a problem with Firefox specifically? I was able to get SSL decryption working using our internal CA and IE browsers on the domain, but Firefox does not seem to pick up the CAs in the Windows store, which caused some issues. Not sure if there is a solution to this.</P></BODY></HTML> Fri, 04 Feb 2011 20:08:11 GMT https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10383#M7647 KGC 2011-02-04T20:08:11Z https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10384#M7648 <HTML><HEAD></HEAD><BODY><P class="MsoNormal">Firefox is the main problem. IE is not really am problem - I can use a GPO for the certs. Chrome uses the same certs as IE, s that works. But our friend Firefox does not seem to have an enterprise solution to management it (for certs or other configs - we had a similar issue when deploying proxy settings).</P></BODY></HTML> Fri, 04 Feb 2011 20:12:58 GMT https://live.paloaltonetworks.com/t5/general-topics/deploying-ssl-decryption-with-public-ca/m-p/10384#M7648 john.langford@aplp.net 2011-02-04T20:12:58Z